{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1560.001 - Archive Collected Data: Archive via Utility",
    "\n",
    "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.\n\nSome 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Compress Data for Exfiltration With Rar\nAn adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.\nWhen the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory \n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: Rar tool must be installed at specified location (#{rar_exe})\n\n##### Check Prereq Commands:\n```None\nif not exist \"%programfiles%/WinRAR/Rar.exe\" (exit /b 1)\n\n```\n##### Get Prereq Commands:\n```None\necho Downloading Winrar installer\nbitsadmin /transfer myDownloadJob /download /priority normal \"https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe\" %TEMP%\\winrar.exe\necho Follow the installer prompts to install Winrar\n%TEMP%\\winrar.exe\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 1 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\n\"%programfiles%/WinRAR/Rar.exe\" a -r %USERPROFILE%\\T1560.001-data.rar %USERPROFILE%\\*.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar\nNote: Requires winrar installation\nrar a -p\"blue\" hello.rar (VARIANT)\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nmkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\nrar a -hp\"blue\" hello.rar\ndir\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip\nNote: Requires winzip installation\nwzzip sample.zip -s\"blueblue\" *.txt (VARIANT)\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: Winzip must be installed\n\n##### Check Prereq Commands:\n```powershell\ncmd /c 'if not exist \"%ProgramFiles%\\WinZip\\winzip64.exe\" (echo 1) else (echo 0)'\n\n```\n##### Get Prereq Commands:\n```powershell\nif(Invoke-WebRequestVerifyHash \"https://download.winzip.com/gl/nkln/winzip24-home.exe\" \"$env:Temp\\winzip.exe\" B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB){\n  Write-Host Follow the installation prompts to continue\n  cmd /c \"$env:Temp\\winzip.exe\"\n}\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 3 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\npath=%path%;\"C:\\Program Files (x86)\\winzip\"\nmkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"%ProgramFiles%\\WinZip\\winzip64.exe\" -min -a -s\"hello\" archive.zip *\ndir\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip\nNote: Requires 7zip installation\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nmkdir $PathToAtomicsFolder\\T1560.001\\victim-files\ncd $PathToAtomicsFolder\\T1560.001\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n7z a archive.7z -pblue\ndir\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - Data Compressed - nix - zip\nAn adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.\n\n**Supported Platforms:** linux, macos\n#### Dependencies:  Run with `None`!\n##### Description: Files to zip must exist (#{input_files})\n\n##### Check Prereq Commands:\n```None\nif [ $(ls $HOME/*.txt | wc -l) > 0 ]; then exit 0; else exit 1; fi;\n\n```\n##### Get Prereq Commands:\n```None\necho Please set input_files argument to include files that exist\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 5 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `sh`\n```sh\nzip $HOME/data.zip $HOME/*.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - Data Compressed - nix - gzip Single File\nAn adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\ntest -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #7 - Data Compressed - nix - tar Folder or File\nAn adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.\n\n**Supported Platforms:** linux, macos\n#### Dependencies:  Run with `None`!\n##### Description: Folder to zip must exist (#{input_file_folder})\n\n##### Check Prereq Commands:\n```None\ntest -e $HOME/$USERNAME\n\n```\n##### Get Prereq Commands:\n```None\necho Please set input_file_folder argument to a folder that exists\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 7 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `sh`\n```sh\ntar -cvzf $HOME/data.tar.gz $HOME/$USERNAME\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 7"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #8 - Data Encrypted with zip and gpg symmetric\nEncrypt data for exiltration\n\n**Supported Platforms:** macos, linux\n#### Dependencies:  Run with `sh`!\n##### Description: gpg and zip are required to run the test.\n##### Check Prereq Commands:\n```sh\nif [ ! -x \"$(command -v gpg)\" ] || [ ! -x \"$(command -v zip)\" ]; then exit 1; fi;\n\n```\n##### Get Prereq Commands:\n```sh\necho \"Install gpg and zip to run the test\"; exit 1;\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 8 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `sh`\n```sh\nmkdir -p /tmp/T1560\ncd /tmp/T1560; touch a b c d e f g\nzip --password \"InsertPasswordHere\" /tmp/T1560/T1560 ./*\necho \"InsertPasswordHere\" | gpg --batch --yes --passphrase-fd 0 --output /tmp/T1560/T1560.zip.gpg -c /tmp/T1560/T1560.zip\nls -l /tmp/T1560\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1560.001 -TestNumbers 8"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}